Unique study sheds light on DDoS attacks
SIDN and NBIP (the Dutch National Internet Providers Management Organisation) have been working together on a detailed study designed to shed more light on DDoS attacks. Both organisations have access to important datasets: NBIP is able to see which IP addresses have come under attack, while SIDN can link those addresses to domains. By linking and analysing their data, the two organisations have therefore been able to gain valuable insights. Together, they have undertaken a study that is unique, not only in the Dutch context, but also internationally. New light has been shed on the particular industries and regions affected, on attack patterns, on the economic impact of DDoS attacks and on the risk of collateral damage. In the period ahead, that will translate into improved DDoS mitigation and greater public awareness. NBIP's Chief Executive Octavia de Weerdt and SIDN Business Analyst Nick Boerman have been giving us a sneak preview of the results.
Focus on DDoS
NBIP has been speaking for ISPs since 2002, and now has more than a hundred affiliates. In 2013, when several large banks came under fire, NBIP also began focusing on DDoS attacks: what could ISPs do to counter attacks and how could the impact be mitigated? That focus led to the creation of NBIP offshoot NaWas, which offers DDoS security services to ISPs. "Our services are based on the 'fire brigade model'," says de Weerdt. "In other words: they are services that you call on in an emergency." One example is the 'national traffic scrubber'. In the event of an attack, traffic is routed via the scrubber, and the cleaned-up flow forwarded to the target organisation. ISP-centred mitigation is very important, because ISPs play a vital gatekeeping role. Of the 5.8 million Dutch domains, NaWas protects 2.5 million, or 43 per cent.
De Weerdt and Boerman both see knowledge-sharing as the main aim of the study. Greater insight within the industry promotes cooperation amongst individual players and therefore more effective anti-DDoS strategies. Knowledge-sharing also boosts awareness amongst the general public, so that the damage caused by DDoS attacks can be mitigated.
"By linking IP addresses to domains we have for the first time been able to draw conclusions about individual sectors, such as Fashion & Beauty and Education," says Boerman. "We're also able to see whether there are regional patterns, in terms of some parts of the country being attacked more than others." From the survey data, Groningen emerges as the region where DDoS attacks happen most. Could that be because of Google's data centre there? No such link could be found. So it might be down to Groningen's concentration of universities and high schools, which are often targeted.
Data analysis for the study revealed some interesting patterns. Often, the patterns were predictable, such as a spike in attacks on webshops in the run-up to Christmas. At that time of year, attackers probably expect to have maximum impact on shops' activities and earnings. Other patterns were more surprising. A lot of sites belonging to the 'Education' segment were hit by DDoS attacks at about 8:30am, for example. "It makes you think," says Boerman. "Especially when you consider that you can buy a DDoS attack for a few euros."
According to De Weerdt, "It's a common misconception that only high-profile sites are hit by DDoS attacks. In fact, you're more likely to be affected by an attack that isn't targeting you than one that is." The explanation is shared hosting. A DDoS attack impacts on all sites whose servers happen to use the same IP address as the target site. The NBIP-SIDN research found that 3.6 per cent of the affected webshops were primary targets, while 8.4 per cent were victims of collateral damage. In other words, having a low profile is no guarantee of safety.
"There's no doubt that cooperation is now more important than ever," asserts Boerman. "The stronger and broader the chain, the less impact DDoS attacks have." De Weerdt echoes that sentiment: "Like SIDN, NBIP is open to any initiative that will reinforce horizontal or vertical cohesion in the chain."
Result presentation on 19 November
Naturally, the study's full findings are more detailed and more wide-ranging than outlined here. NBIP and SIDN will be making a formal presentation of their results at Seats2Meet in Utrecht at 1pm local time on 19 November.
For the benefit of people with a special interest in the economic impact of DDoS attacks in the Netherlands, we'll be looking more closely at the results, discussing the findings with a panel of experts and asking how we can pool our resources most effectively and protect the country as a whole against DDoS attacks.
The programme for the afternoon is as follows:
13:00 – Reception
14:00 – Opening
14:15 – Presentation of research report: Octavia de Weerdt (NBIP) and Michiel Henneke (SIDN)
15:00 – Bert Tieben (SEO Economic Research) on the economic impact
15:30 – Expert panel discussion
16:15 – Refreshments
Octavia de Weerdt
NBIP's Chief Executive
SIDN Business Analyst